Non-disclosure agreements (NDA) impose obligations to refrain from disclosing information, take measures to protect the confidentiality of information and/or use information only for a specified purpose or purposes. In this post, I look at the issues surrounding the use of NDAs in the IT industry, and consider some of the the typical situations in which they may be used.
Law of confidence
Obligations of confidentiality can arise under the law of confidence even where there is no contract. However, as the Law Commission has recognised, the law of confidence is entirely judge-made, and breach of confidence litigation is an uncertain and unreliable way to protect business secrets (Law Commission Report No. 110 (1981)). In part for this reason, businesses shouldn't rely upon the law of confidence alone, and should consider the use of an NDA, whenever they are disclosing confidential business information to others. Confidentiality is a particularly important form of asset protection in the computer industry, where any technology-based competitive edge will not last long.
Confidentiality and intellectual property
The law concerning the protection of confidential information is closely related to intellectual property law. There are many uncertainties and gaps in the protection that intellectual property law affords to processes, techniques, ideas, and information in the IT industry – for instance, computer programs are not generally patentable in the EU. The use of NDAs to create non disclosure obligations can be used to supplement intellectual property laws, and thereby to clarify some of the uncertainties and fill some of the gaps.
NDAs: drafting issues
Before considering the specific situations in which NDAs may be used, I will look at several of the key drafting issues affecting NDAs: the difference between unilateral and reciprocal agreements, ways of defining confidential information, the question of who is bound by an NDA, the duration of obligations and the impact of data protection law.
When to contract
As a general rule, it is better to sign an NDA before confidential information is disclosed, rather than after. That said, an appropriately drafted NDA may protect information that was disclosed before execution.
Unilateral or reciprocal?
A reciprocal (sometimes called a mutual or two-way) agreement puts non-disclosure obligations on both parties and is appropriate when both sides are revealing sensitive information. Where only one party is disclosing sensitive information, a unilateral (also called a one-way) agreement will be appropriate.
Defining confidential information
It is important to carefully consider the definition of confidential information in an NDA. You need to ensure that the relevant information is covered, and that irrelevant information is excluded. You should consider whether information provided orally should be included within the definition. Whilst information needn't be "top secret" to be protectable, and NDAs can protect information that wouldn't be given protection by the law of confidence, a non-disclosure obligation may still be unenforceable on public policy grounds if the definition of confidential information is too wide - for example if it relates to trivial information. Looking at this question from the other side of the fence, if you are going to be subject to confidentiality obligations under an NDA, you should take care to ensure that those obligations do not overly hinder your business activities. This is especially important if the non disclosure obligations continue for a long period or indefinitely (see below).
Who is bound?
An NDA should identify the persons to whom information may be disclosed and, if not signed by all of those persons, should identify the means by which further onward disclosure will be prevented. For example, the primary disclosee may be obliged to ensure that all persons to whom the information is disclosed enter into NDAs with the primary disclosee on specified terms that are enforceable by the disclosor as a third party beneficiary.
Duration of obligations
Confidentiality obligations under an NDA may be of a fixed or indefinite duration. Businesses need to be especially careful when agreeing to be bound for an indefinite period.
Information disclosed under and NDA may include personal data, and such personal data may be subject to data protection law. Typically in these circumstances, the disclosor will be a "data controller" under the Data Protection Act 1998 while the disclosee will be a "data processor". A data processing clause may be used within the NDA to ensure information is not disclosed illegally.
NDAs: where are they used
I consider here four situations in which NDAs are very commonly used in the IT industry: when a new business opportunity is being negotiated; when a business is outsourcing software or web development work; when a developer is sub-contracting work to bring in additional resources or expertise; and when an employee is taken on.
The process of negotiating a new business proposition (whether taking the form of a joint venture, a company, a partnership or otherwise) will almost inevitably involve the disclosure of sensitive information, such as financial figures, client lists, business ideas and technical process information. It is usually sensible to protect the information disclosed during negotiations using a reciprocal NDA.
Software and web development
Much web and software development is outsourced to developers. For some types of work, clients will want to impose non disclosure obligations upon the developers. For example, where a the project is based upon a new technology, a new business concept, or a confidential business relationship, and NDA will be of considerable importance.
Design and development work may be sub-contracted by a developer to freelancers, whether to access additional resources or expertise. In this situation, the developer will want to ensure that first, the sub-contracting of the work won't involve the breach of any non disclosure obligations imposed on the developer by the client, and second, that appropriate non disclosure obligations are imposed upon the the persons to whom the work is sub-contracted. Typically, the obligations imposed by the developer upon the sub-contractor will be as strong or stronger than those imposed by the client on the developer.
Employees may have access to at least some of the confidential information of a business. Non disclosure obligations, in a form approved by an employment lawyer, should always be imposed upon such employees.
Conclusions: one tool amongst many
NDAs are an important part of any business's legal toolkit. However, they are no use in relation to the disclosure of sensitive information by those who have not signed-up to their terms. NDAs should supplement practical information security measures (which are mostly just common sense). For instance: restrict access to confidential information on a need-to-know basis; where possible, only provide object code to customers; larger organisations should institute an information security policy - one that includes regular reviews; lock doors, windows and filing cabinets; and so on. The practices and processes of many businesses in relation to information security are less than ideal. NDAs often contain a provision requiring that the disclosee protect the confidential information of the disclosor "with the same degree of care that the disclosee takes to protect its own confidential information". For some businesses, this is not a very high standard to meet!
This article was researched and written by Gareth Sims.